OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Custom Auth Plugin

OJS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
Developer Resources:

Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page.

Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.

Bugzilla: You can access our Bugzilla report tracker here.

Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.

Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a technical support question, try the OJS Technical Support subforum.

Custom Auth Plugin

Postby namehta » Mon Oct 01, 2007 3:11 am

Hi,

I created the following auth plugin.

Code: Select all
class MyAuthPlugin extends AuthPlugin {
   
   function register($category, $path) {
      $success = parent::register($category, $path);
      $this->addLocaleData();      
      return $success;
   }
   
   function getName() {
      return 'MyPlugin';
   }
   

   function getDisplayName() {
      return 'My Authentication Plugin';
   }
   
   function getDescription() {
      return 'Plugin for authenticating users registered in the My database';
   }
   
   
   //
   // Core Plugin Functions
   // (Must be implemented by every authentication plugin)
   //
   
   function &getInstance($settings, $authId) {
      $returner =& new MyAuthPlugin($settings, $authId);
      error_log("Gave instance", 3, "err_My.log");
      return $returner;
   }

   function authenticate($username, $password) {
      $valid = false;

      //TODO:
      error_log("I am called for auth", 3, "err_My.log");

      //return $valid;
      return true;
   }
}


This plugin appears in the "Authentication Sources" section and I added and configured it as the default. But the log messages do not appear in the log file that suggest that the hook methods get called. Also, the default return of "true" in the authenticate method should allow any user to proceed, but this doesn't happen.

I looked at the code in the "Validate" class and what I understood from it is that users in the external source should also be registered in the local DB with an AuthID indicating what auth source to use. Is this true?

Also, what is the default role assigned to a user from a custom source. Can I map other roles to such a user?

- Nirav Mehta
namehta
 
Posts: 7
Joined: Sun Sep 30, 2007 6:01 pm

Re: Custom Auth Plugin

Postby namehta » Mon Oct 01, 2007 7:18 pm

I went through the code in the Validate class and came to this comclusion. Users are mapped in the local databased to the authorization plugin to be used. So does that mean that every user in the remote source should have atleast the username entry and auth source id in the local database?

- Nirav
namehta
 
Posts: 7
Joined: Sun Sep 30, 2007 6:01 pm

Re: Custom Auth Plugin

Postby asmecher » Tue Oct 02, 2007 8:23 am

Hi Nirav,

Yes, a local entry is required in the database in order to ensure referential integrity. This is likely to remain true going forward, as a major component of OJS is record-keeping and the local users table is the heart of that; however, we will be working over the coming months to improve OJS's interoperability with other systems so that although a local users table is required, it can be synchronized with an external source. That synchronization currently takes place in part but if an account is created externally it cannot simply be imported into OJS.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 9214
Joined: Wed Aug 10, 2005 12:56 pm

Re: Custom Auth Plugin

Postby namehta » Wed Oct 03, 2007 12:36 pm

Hi Alec,

I was thinking of working on something similar to a "logon stack" the way JAAS works.

Just a thought: For a journal system that may be used by corporate or group subscriptions, it would be a good idea to provide ready to use authentication plugins for URL logon, etc, maybe even including an additional authentication parameter for the "group_id" or something.

- Nirav
namehta
 
Posts: 7
Joined: Sun Sep 30, 2007 6:01 pm

Re: Custom Auth Plugin

Postby asmecher » Fri Oct 05, 2007 2:53 pm

Hi Nirav,

Agreed -- that would be an excellent addition to OJS and OCS and would go a long way towards improving interoperability between PKP software and other applications. If you'd like to discuss design or approaches, I'd be happy to work through it with you.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 9214
Joined: Wed Aug 10, 2005 12:56 pm

Re: Custom Auth Plugin

Postby namehta » Sun Oct 14, 2007 8:13 am

Hi Alec,

This is how I thought of approaching it:
You already have the AuthPlugin which is perfect. It would be a good idea to treat even the local authentication mechanism as a plugin in the Validation code.

Here is a code that I started with and it ...

Code: Select all
   function &login_new($username, $password, &$reason, $remember = false) {
      $result = false;
      $authDao = &DAORegistry::getDAO('AuthSourceDAO');
      $authSources = &$authDao->getSources();
      
      $nCount = $authSources->getCount();
      for ($iCtr=0; $iCtr<$nCount; $iCtr++) {
         $authSource = $authSources->next();
         
         $authPlugin = $authDao->getPlugin($authSource->getAuthId());
         $result = $authPlugin->authenticate($username, $password);
         if ($result) {
            break;
         }
      }
      return $result;
   }


I called this method from the original "login" method and got rid of the code which was based on the "auth_id". I'm a Java guy and just started with PHP .. basically learning the language on the fly. At this stage the authentication code is working perfect. Next is the authorization part...

For every authentication source, there should be a provision to assign default journal assignments and corresponding roles. There are 2 issues I need help with:
1. Session Handling: It seems that the session store just the "userId" and "userName" attributes. If another user logs in with the same userId from another auth source, will there be an issue with the session handling? I'm assuming that it wouldn't cause the browser session will be unique for the 2.
2. Dynamic profile building: Can objects be stored in the PHP session? If so, then in the "User" object, we need to include details such as "journal assignments" and corresponding "role assignments". This object itself can be stored in the session and used in the rest of the access control codes.

Do let me know if you have any other ideas.

- Nirav
namehta
 
Posts: 7
Joined: Sun Sep 30, 2007 6:01 pm

OJS Web Services API - Re: Custom Auth Plugin

Postby GennadyK » Thu Oct 25, 2007 2:24 pm

Hi,
We have Adobe Connect (former Macromedia Breeze) integrated with SSO (JOSSO).
Acrobat Connect XML Web Services API can be used for portal integration:
http://help.adobe.com/en_US/Connect/6.0 ... s/help.pdf

For login to the system we just need to call url (HTTP Request) like this:
http://cme.ojs.com/api/xml?action=login ... ord=my_pwd
And if ok we will get HTTP Response:

<?xml version="1.0" encoding="utf-8"?>
<results><status code="ok"/></results>

In case of error:
<?xml version="1.0" encoding="utf-8"?>
<results><status code="no-data"/></results>

When a user logs in, Connect Enterprise returns a cookie that
identifies the user’s session. You need to pass the cookie back to the server on all calls made to
the server during the user’s session. Then, when the user logs out, the server makes the cookie
expire and you should invalidate it.

This mechanism works pretty good with JOSSO:
Page we want to access: http://cme.ojs.com/Sep07c
We passing it as targetUrl to JOSSO agent for Adobe Connect:
http://www.ojs.com/sso/cme.asp?targetUr ... com/Sep07c

Inside of http://www.ojs.com/sso/cme.asp:
If user successfully logged on into JOSSO, then we do HTTP Request to Adobe Connect:
http://cme.ojs.com/api/xml?action=login ... ord=my_pwd

From HTTP Response getting status and user’s session cookie.
Finally redirecting user to targetUrl:
url=targetUrl+"?session="+user_session_cookie
Response.Redirect(url)

Would it be hard to make something like this for OJS? As I can see web services is a very common interface for all kinds of systems. And you can add new calls later, like to show journal's statistics on the portal.

We envision it as this:
URL for API: http://www.website.com/api
For method call use word: do or method
For object use: with or object
For parameters - name of parameters
For scope - either system-wide(all) or just for one or few journals: scope or journal

First priority methods we need are:
1. Login User
http://www.website.com/api?do=login&use ... ord=my_pwd
- for method login by default object or with=user and scope journal=all
2. Create User
http://www.website.com/api?do=create&wi ... la@ojs.com
- for Create User method by default role=Reader and scope journal=all
3. Change User - username as email could be changed if someone has, as we have, username=email and password.
Could be called only after user/admin logon
http://www.website.com/api?do=change&wi ... la@ojs.com
4. Search Journal Content - to display list of articles on the portal page, with links to forward the user to the content.


The api.php will be not that difficult to build as it will just parse parameters, use one of the OJS methods to get results, and build an XML response the same way that the XML export does.
And we are willing to put our efforts in it, once OJS development team will be OK with it. We don't want it to be considered as a separate part, but as part of OJS, so that it will be updated/incorporated with future versions of OJS.

Thank you,
Gennady
Last edited by GennadyK on Fri Jan 25, 2008 2:03 pm, edited 1 time in total.
GennadyK
 
Posts: 19
Joined: Tue Apr 24, 2007 9:16 am

Re: Custom Auth Plugin

Postby namehta » Thu Oct 25, 2007 10:42 pm

Hi Gennady,

This is a great idea. Until then, this is what I am planning to do:

Create an authentication plugin with a variable parameter like 'source'. Create a Java servlet which accepts username/password and a source ID. This servlet will basically extend calls to logon modules based on the authentication and source. This is the logon method I'll follow now is:

1. User tries to logon to OJS.
2. OJS calls all sources configured with the plugin.
3. Plugin calls the servlet with these parameters.
4. Servlet delegates to respective Java modules which can make JDBC calls or whatever and returns the authentication result.
5. Servlet returns the result to OJS.
6. If a match is found, OJS will pick a preconfigured userid/passwd for the source which has all the relevant journal assignments and subscription details and mask the authentication to that user instead.

This way, we can achieve authentication with external sources as well as avoid making any serious changes to the authorization mechanism.

- Nirav
namehta
 
Posts: 7
Joined: Sun Sep 30, 2007 6:01 pm

Re: Custom Auth Plugin

Postby GennadyK » Thu Jan 24, 2008 2:43 pm

GennadyK
 
Posts: 19
Joined: Tue Apr 24, 2007 9:16 am


Return to OJS Development

Who is online

Users browsing this forum: No registered users and 1 guest